A better way for pip to handle this might be to add a --proxy-auth
flag that takes : and does the encoding for the
user before adding it to the Proxy URL.

Issue - This is something not allowed:

Strictly speaking, the literal # character is not valid in the
userinfo portion of a URI, according to RFC 3986, and should be
percent encoded. However, it's not exactly a surprise that many tools
handle this ok: there's clearly no actual ambiguity about that
character. Note, however, that if there were an @ symbol in the
password you'd definitely have to urlencode it: for that reason, it's
a good habit to get into to urlencode your passwords before they go
into URIs.

The authority component is preceded by a double slash ("//") and is
terminated by the next slash ("/"), question mark ("?"), or number
sign ("#") character, or by the end of the URI. In other words, the
current behaviour is correct in expecting the authority to be
terminated by the first / (or ? or #) it finds after the preceeding
//. Am I sympathetic to people trying to use proxy URIs with pip?
Absolutely. I think hacking together something that violates the RFC
has the potential for nasty surprises later on.